An Update on Cryptowall

A week or so ago, our Agent Kate B wrote a blog post warning clients about a troublesome type of malware that is making its way around the Web these days. This malware, called Cryptolocker or Cryptowall, is particularly dangerous because it encrypts all the data on your computer, rewriting it and making it unreadable. As Kate pointed out, the most troubling aspect of this malware is the encryption is complex enough that there is no technical solution that can reverse it. Without the private encryption key controlled by the malware writer, your data is just a pile of zeroes and ones. And there is nothing anyone can do to change that.

Agent Kate provided a good summary of ways to avoid being infected by this malware in her blog post. Fortunately, some of my computer security colleagues got ahold of some of the private encryption keys used in conjunction with the malware and have made them available to the public. So at least some of the victims of these hacks have been able to recover their data. But, as is often the case in the computer security game, just when it looks like we have a problem under control, a new problem arises.

In this case, the new problem is Cryptowall 3.0, the latest version of these encryption-type malware. Like earlier versions of Cryptowall, this version encrypts the data on the infected device and sends a ransom note offering to provide the private key to decrypt your files for a fee. In addition, Cryptowall 3.0 disables the “Volume Shadow Copy” functionality of the device and destroys any existing Volume Shadow Copy data. Volume Shadow Copy data can sometimes be used to recover and restore previous versions of data on a machine running later versions of Windows (Vista, 7, 8 and 8.1). So this newer version of Cryptowall eliminates one of the only technical solutions victims have at their disposal.

To make things even worse, this variant will even encrypt data that resides on external storage devices and mapped network drives connected to the infected device. So if you back up directly to USB hard drive or a Network Attached Storage (NAS) device, they also might become encrypted.

The spread of this new malware makes it even more important for people with devices connected to the Internet (is anything not connected to the Internet anymore?!) to have a robust data backup strategy for their machines. To win against encryption based malware, it is critical that this solution supports versioning. We have seen clients whose machines have become infected with one of these malware variants and didn’t realize it before their backup solution copied the encrypted version of their data over their backup, leaving them with two copies of the encrypted files.

A backup solution that supports versioning will prevent this. A backup solution with versioning will always maintain a number of copies of the backed up files, so even if an infected machines encrypted files are copied over the most recent backup, earlier versions will be available. Those earlier versions of the files can then be used to restore the machine to full functionality. Most good backup solutions support versioning, but it is always a good idea to make sure that feature is enabled. As more encryption-based malware hits the Web, a backup with versioning will continue to be an important safeguard for your data.

Of course, the best way to prevent becoming infected by any malware is to always use safe Web-browsing techniques, keep your anti-malware software and OS up-to-date, and make regular backups of your data to something that supports versioning. And never, ever open attachments from suspicious, unusual or unknown sources.

If you need some good security software for your device or network, we have some available here . If you think you might have malware on your computer, chat with an agent to see what we can do to help.